Hi,
with current HEAD of nftables [0663bfe ("mnl: rework netlink socket
receive path for events")] and with current nf-next HEAD kernel
[851345c ("netfilter: reduce sparse warnings")] i'm hitting a
segfault.
There seem to be a strcmp over a NULL string.
Unfortunately I can't try to solve this myself right now.
It can be reproduced with this simple file:
========== 8< ==========
flush ruleset
table inet filter {
chain test0 {
}
chain test1 {
}
chain test2 {
}
chain test {
oif vmap {
eth0 : jump test0,
eth1 : jump test1,
eth2 : jump test2
}
}
}
========== 8< ==========
loaded with:
% nft -f file
produces:
nft[2307]: segfault at 100000000 ip 00007f3f0a3ea27a sp
00007ffe04e524a8 error 4 in libc-2.19.so[7f3f0a36a000+19f000]
The gdb backtrace:
[...]
(gdb) bt
#0 __strcmp_sse2 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00000000004078a4 in chain_lookup (table=table@entry=0x653950,
h=h@entry=0x6539f0) at rule.c:518
#2 0x000000000040e771 in chain_evaluate
(ctx=ctx@entry=0x7fffffffe4c8, chain=chain@entry=0x6539e0) at
evaluate.c:1873
#3 0x000000000040ee6f in table_evaluate (table=0x654920,
ctx=0x7fffffffe4c8) at evaluate.c:1919
#4 cmd_evaluate_add (cmd=<optimized out>, ctx=0x7fffffffe4c8) at
evaluate.c:1940
#5 cmd_evaluate (ctx=0x7fffffffe4c8, cmd=<optimized out>) at evaluate.c:2098
#6 0x00000000004257f0 in nft_parse (scanner=scanner@entry=0x64f4b0,
state=state@entry=0x7fffffffdee0) at parser_bison.y:566
#7 0x00000000004063ed in nft_run (scanner=scanner@entry=0x64f4b0,
state=state@entry=0x7fffffffdee0, msgs=msgs@entry=0x7fffffffded0) at
main.c:231
#8 0x0000000000406052 in main (argc=<optimized out>, argv=<optimized
out>) at main.c:357
Find attached valgrind report.
--
Arturo Borrero González
% sudo valgrind nft -f ruleset.nft
==2239== Memcheck, a memory error detector
==2239== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==2239== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==2239== Command: nft -f ruleset.nft
==2239==
==2239== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
==2239== at 0x580E143: __sendto_nocancel (syscall-template.S:81)
==2239== by 0x419BA2: nft_mnl_talk (mnl.c:80)
==2239== by 0x41B08C: mnl_nft_set_dump (mnl.c:772)
==2239== by 0x41350B: netlink_list_sets (netlink.c:1248)
==2239== by 0x407448: cache_init_objects (rule.c:79)
==2239== by 0x407448: cache_init (rule.c:133)
==2239== by 0x407448: cache_update (rule.c:150)
==2239== by 0x40E9D9: cmd_evaluate (evaluate.c:2081)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239== Address 0xffeff971f is on thread 1's stack
==2239== in frame #2, created by mnl_nft_set_dump (mnl.c:750)
==2239==
==2239== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
==2239== at 0x580E143: __sendto_nocancel (syscall-template.S:81)
==2239== by 0x419BA2: nft_mnl_talk (mnl.c:80)
==2239== by 0x41B442: mnl_nft_setelem_get (mnl.c:904)
==2239== by 0x41383A: netlink_get_setelems (netlink.c:1512)
==2239== by 0x4074AD: cache_init_objects (rule.c:87)
==2239== by 0x4074AD: cache_init (rule.c:133)
==2239== by 0x4074AD: cache_update (rule.c:150)
==2239== by 0x40E9D9: cmd_evaluate (evaluate.c:2081)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239== Address 0xffeff970f is on thread 1's stack
==2239== in frame #2, created by mnl_nft_setelem_get (mnl.c:895)
==2239==
==2239== Invalid read of size 8
==2239== at 0x406B24: handle_merge (rule.c:46)
==2239== by 0x40EE63: table_evaluate (evaluate.c:1918)
==2239== by 0x40EE63: cmd_evaluate_add (evaluate.c:1940)
==2239== by 0x40EE63: cmd_evaluate (evaluate.c:2098)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239== Address 0x5cff808 is 0 bytes after a block of size 184 alloc'd
==2239== at 0x4C2AD10: calloc (vg_replace_malloc.c:623)
==2239== by 0x4195AD: xmalloc (utils.c:36)
==2239== by 0x4195AD: xzalloc (utils.c:54)
==2239== by 0x407CAD: table_alloc (rule.c:651)
==2239== by 0x41078D: netlink_delinearize_table.isra.5 (netlink.c:923)
==2239== by 0x4107EC: list_table_cb (netlink.c:939)
==2239== by 0x5043B73: nft_table_list_foreach (table.c:535)
==2239== by 0x41300F: netlink_list_tables (netlink.c:960)
==2239== by 0x4073DC: cache_init_tables (rule.c:62)
==2239== by 0x4073DC: cache_init (rule.c:130)
==2239== by 0x4073DC: cache_update (rule.c:150)
==2239== by 0x40E9D9: cmd_evaluate (evaluate.c:2081)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239==
==2239== Invalid read of size 8
==2239== at 0x406B2F: handle_merge (rule.c:48)
==2239== by 0x40EE63: table_evaluate (evaluate.c:1918)
==2239== by 0x40EE63: cmd_evaluate_add (evaluate.c:1940)
==2239== by 0x40EE63: cmd_evaluate (evaluate.c:2098)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239== Address 0x5cff810 is 8 bytes after a block of size 184 alloc'd
==2239== at 0x4C2AD10: calloc (vg_replace_malloc.c:623)
==2239== by 0x4195AD: xmalloc (utils.c:36)
==2239== by 0x4195AD: xzalloc (utils.c:54)
==2239== by 0x407CAD: table_alloc (rule.c:651)
==2239== by 0x41078D: netlink_delinearize_table.isra.5 (netlink.c:923)
==2239== by 0x4107EC: list_table_cb (netlink.c:939)
==2239== by 0x5043B73: nft_table_list_foreach (table.c:535)
==2239== by 0x41300F: netlink_list_tables (netlink.c:960)
==2239== by 0x4073DC: cache_init_tables (rule.c:62)
==2239== by 0x4073DC: cache_init (rule.c:130)
==2239== by 0x4073DC: cache_update (rule.c:150)
==2239== by 0x40E9D9: cmd_evaluate (evaluate.c:2081)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239==
==2239== Invalid write of size 8
==2239== at 0x406B3A: handle_merge (rule.c:49)
==2239== by 0x40EE63: table_evaluate (evaluate.c:1918)
==2239== by 0x40EE63: cmd_evaluate_add (evaluate.c:1940)
==2239== by 0x40EE63: cmd_evaluate (evaluate.c:2098)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239== Address 0x5cff810 is 8 bytes after a block of size 184 alloc'd
==2239== at 0x4C2AD10: calloc (vg_replace_malloc.c:623)
==2239== by 0x4195AD: xmalloc (utils.c:36)
==2239== by 0x4195AD: xzalloc (utils.c:54)
==2239== by 0x407CAD: table_alloc (rule.c:651)
==2239== by 0x41078D: netlink_delinearize_table.isra.5 (netlink.c:923)
==2239== by 0x4107EC: list_table_cb (netlink.c:939)
==2239== by 0x5043B73: nft_table_list_foreach (table.c:535)
==2239== by 0x41300F: netlink_list_tables (netlink.c:960)
==2239== by 0x4073DC: cache_init_tables (rule.c:62)
==2239== by 0x4073DC: cache_init (rule.c:130)
==2239== by 0x4073DC: cache_update (rule.c:150)
==2239== by 0x40E9D9: cmd_evaluate (evaluate.c:2081)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239==
==2239== Invalid read of size 8
==2239== at 0x406B3E: handle_merge (rule.c:50)
==2239== by 0x40EE63: table_evaluate (evaluate.c:1918)
==2239== by 0x40EE63: cmd_evaluate_add (evaluate.c:1940)
==2239== by 0x40EE63: cmd_evaluate (evaluate.c:2098)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239== Address 0x5cff818 is 16 bytes after a block of size 184 alloc'd
==2239== at 0x4C2AD10: calloc (vg_replace_malloc.c:623)
==2239== by 0x4195AD: xmalloc (utils.c:36)
==2239== by 0x4195AD: xzalloc (utils.c:54)
==2239== by 0x407CAD: table_alloc (rule.c:651)
==2239== by 0x41078D: netlink_delinearize_table.isra.5 (netlink.c:923)
==2239== by 0x4107EC: list_table_cb (netlink.c:939)
==2239== by 0x5043B73: nft_table_list_foreach (table.c:535)
==2239== by 0x41300F: netlink_list_tables (netlink.c:960)
==2239== by 0x4073DC: cache_init_tables (rule.c:62)
==2239== by 0x4073DC: cache_init (rule.c:130)
==2239== by 0x4073DC: cache_update (rule.c:150)
==2239== by 0x40E9D9: cmd_evaluate (evaluate.c:2081)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239==
==2239== Invalid write of size 8
==2239== at 0x406B49: handle_merge (rule.c:51)
==2239== by 0x40EE63: table_evaluate (evaluate.c:1918)
==2239== by 0x40EE63: cmd_evaluate_add (evaluate.c:1940)
==2239== by 0x40EE63: cmd_evaluate (evaluate.c:2098)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239== Address 0x5cff818 is 16 bytes after a block of size 184 alloc'd
==2239== at 0x4C2AD10: calloc (vg_replace_malloc.c:623)
==2239== by 0x4195AD: xmalloc (utils.c:36)
==2239== by 0x4195AD: xzalloc (utils.c:54)
==2239== by 0x407CAD: table_alloc (rule.c:651)
==2239== by 0x41078D: netlink_delinearize_table.isra.5 (netlink.c:923)
==2239== by 0x4107EC: list_table_cb (netlink.c:939)
==2239== by 0x5043B73: nft_table_list_foreach (table.c:535)
==2239== by 0x41300F: netlink_list_tables (netlink.c:960)
==2239== by 0x4073DC: cache_init_tables (rule.c:62)
==2239== by 0x4073DC: cache_init (rule.c:130)
==2239== by 0x4073DC: cache_update (rule.c:150)
==2239== by 0x40E9D9: cmd_evaluate (evaluate.c:2081)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239==
==2239== Invalid read of size 8
==2239== at 0x406B4D: handle_merge (rule.c:52)
==2239== by 0x40EE63: table_evaluate (evaluate.c:1918)
==2239== by 0x40EE63: cmd_evaluate_add (evaluate.c:1940)
==2239== by 0x40EE63: cmd_evaluate (evaluate.c:2098)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239== Address 0x5cff828 is 24 bytes after a block of size 192 in arena "client"
==2239==
==2239== Invalid read of size 1
==2239== at 0x4C2D1D3: strcmp (vg_replace_strmem.c:755)
==2239== by 0x4078A3: chain_lookup (rule.c:518)
==2239== by 0x40E770: chain_evaluate (evaluate.c:1873)
==2239== by 0x40EE6E: table_evaluate (evaluate.c:1919)
==2239== by 0x40EE6E: cmd_evaluate_add (evaluate.c:1940)
==2239== by 0x40EE6E: cmd_evaluate (evaluate.c:2098)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239== Address 0x100000000 is not stack'd, malloc'd or (recently) free'd
==2239==
==2239==
==2239== Process terminating with default action of signal 11 (SIGSEGV)
==2239== Access not within mapped region at address 0x100000000
==2239== at 0x4C2D1D3: strcmp (vg_replace_strmem.c:755)
==2239== by 0x4078A3: chain_lookup (rule.c:518)
==2239== by 0x40E770: chain_evaluate (evaluate.c:1873)
==2239== by 0x40EE6E: table_evaluate (evaluate.c:1919)
==2239== by 0x40EE6E: cmd_evaluate_add (evaluate.c:1940)
==2239== by 0x40EE6E: cmd_evaluate (evaluate.c:2098)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239== If you believe this happened as a result of a stack
==2239== overflow in your program's main thread (unlikely but
==2239== possible), you can try to increase the size of the
==2239== main thread stack using the --main-stacksize= flag.
==2239== The main thread stack size used in this run was 8388608.
==2239==
==2239== HEAP SUMMARY:
==2239== in use at exit: 25,953 bytes in 102 blocks
==2239== total heap usage: 161 allocs, 59 frees, 30,906 bytes allocated
==2239==
==2239== LEAK SUMMARY:
==2239== definitely lost: 0 bytes in 0 blocks
==2239== indirectly lost: 0 bytes in 0 blocks
==2239== possibly lost: 0 bytes in 0 blocks
==2239== still reachable: 25,953 bytes in 102 blocks
==2239== suppressed: 0 bytes in 0 blocks
==2239== Rerun with --leak-check=full to see details of leaked memory
==2239==
==2239== For counts of detected and suppressed errors, rerun with: -v
==2239== Use --track-origins=yes to see where uninitialised values come from
==2239== ERROR SUMMARY: 10 errors from 9 contexts (suppressed: 0 from 0)
